1 |
On Tue, 2006-01-17 at 20:31 +0100, Pawe³ Madej wrote: |
2 |
> -----BEGIN PGP SIGNED MESSAGE----- |
3 |
> Hash: SHA1 |
4 |
> |
5 |
> Mark Rudholm wrote: |
6 |
> > Benjamin Smee (strerror) wrote: |
7 |
> > |
8 |
> > I feel compelled to point out that 8-character passwords, |
9 |
> > no matter their composition, aren't really that strong |
10 |
> > anymore. Also, forcing users to use special characters |
11 |
> > and change passwords frequently only guarantees that they |
12 |
> > will write them down, often not in secure places. |
13 |
> > |
14 |
> > You might consider having users use longer passwords |
15 |
> > (a passphrase). They're easier for a user to remember, |
16 |
> > so they're less likely to write them down. They're also |
17 |
> > far more resistant to brute force attacks and guessing. |
18 |
> > Also consider that if you require two capital letters, |
19 |
> > 2 numbers, and 2 special characters, you've just reduced |
20 |
> > the number of possible 8-character passwords quite |
21 |
> > significantly. |
22 |
> |
23 |
> In some case yes, but you have to take into acount that [a-zA-Z0-9] and |
24 |
> special signs that is very big volume of possible combinations. In this |
25 |
> case I think that it is much more secure than 12 [a-zA-Z] password which |
26 |
> could be named passphrase. |
27 |
> |
28 |
> > It's usually very easy for a user to remember something |
29 |
> > like 'My child flies kites.' but if you make them use |
30 |
> > things like '^3!kX$1a' and force changes every couple |
31 |
> > of months, they *will* write it on a post-it note and |
32 |
> > stick it in their desk drawer or on their display. |
33 |
|
34 |
As random as that example password I used was, it doesn't |
35 |
meet your critieria for a 'strong password' (it doesn't have |
36 |
two capital letters). |
37 |
|
38 |
> In this case I have to say that it is 100% right because users are very |
39 |
> lazy, they don't want to think. Social effect is the biggest hole in |
40 |
> every security. |
41 |
> So I what you propose Mark? Setting only minimum lenght to 12 ? 15 signs |
42 |
> and leave users to choose which signs they want to use to make their |
43 |
> passphrase? |
44 |
|
45 |
Well, if I were designing a password policy, I'd probably set |
46 |
the minimum length to 11 characters of any sort, set either no |
47 |
password expiry or a very long one, and include password management |
48 |
in the basic security training I gave users. In that training, I'd |
49 |
explain passphrases and that users shouldn't write them down. |
50 |
I'd discuss how to avoid phishing and spyware, and what to do with |
51 |
emailed attachments. Any one of these could be an attacker's |
52 |
entry point. |
53 |
|
54 |
-Mark |
55 |
|
56 |
-- |
57 |
gentoo-server@g.o mailing list |